When two parties do not know each other and are connected by an insecure channel, establishing secure communication between the parties is a challenge because of a risk that a third party can eavesdrop. A traditional way to overcome this challenge is to find a way for the two parties to share a secret in a way that does not reveal the secret to others (e.g., an eavesdropper, also referred to as an “adversary” or “attacker”). If the two parties have a shared secret, they can use it in accordance with various cryptographic protocols to generate encryption keys and authentication codes for secure communication.
Encryption is typically used to protect messages from being understood by unintended recipients, and authentication is used to ensure the integrity of the message and identify its sender. Some cryptographic schemes are based on symmetric-key ciphers, in which two parties encrypt and decrypt messages using a secret key that the two parties (and they alone) share. Symmetric-key encryption cannot begin, however, until the parties find a way to share or each generate the same secret key. If the parties try to share a secret key (or information used to mutually generate a secret key) over an insecure channel, they risk revealing their secret to an adversary. The adversary could be a passive eavesdropper or an active attacker who can pretend to be one of the parties, potentially intercepting and even modifying information sent between the parties.
Other cryptographic schemes are based on asymmetric or public-key encryption, in which each entity has a pair of keys, one public and one private; messages encrypted with one of those two keys can only be decrypted with the other. Asymmetric-key encryption, although generally more complex and slower than symmetric-key encryption, allows two parties to start communicating even when they have not shared a key in advance. The parties could even use an asymmetric encryption scheme to share symmetric encryption keys. To do so, though, each party needs to have the other party's public key, and needs to trust that the public key they are using actually belongs to the person they want to communicate with. If the two parties do not know each other and have not agreed on a trusted third party that can vouch for each party's identity (for example, a certificate authority used with digital signatures), they each risk communicating unknowingly with an adversary instead of the intended party.
A “man in the middle” attack occurs when a third party (e.g., an adversary) intercepts communications between a first and a second party that want to establish secure communication with each other, and pretends to each party that the attacker is the first or the second party. For example, if Alice wishes to exchange secret information with Bob, Mallory—the man in the middle—can foil their plans. Mallory intercepts a secret sent from Alice to Bob and, pretending to be Alice, sends a different secret to Bob; and then does the same in reverse for messages from Bob to Alice. Both Alice and Bob end up believing they have a secure channel to communicate with the other party, when they are actually each communicating securely with Mallory. Mallory can eavesdrop on the conversation; forward messages without alteration; or actively modify messages, fail to deliver authentic messages, and send false messages to either party.
Thus, a man-in-the-middle attack can completely compromise security when two parties try to initiate secure communication over an insecure channel, enabling an attacker to gather login credentials, credit card information, and other sensitive data. Many communications channels, especially wireless communications, are insecure—from public Wi-Fi wireless networks to Bluetooth connections to malicious cell phone transmitters that capture and forward data. It is remarkably cheap and increasingly easy for malicious actors to launch man-in-the-middle attacks on such networks using tools such as briefcase attack kits, “Bluetooth rifle” antennas that enable an attacker to eavesdrop on “short range” radio communications from a kilometer away, and even an unmanned aerial vehicle (UAV or “drone”) equipped for Wi-Fi cracking. At the same time, the need for secure communications is evident in many contexts, whether the parties are individuals, merchants, or even application code. Therefore, finding a way to establish secure communications over insecure channels that is less vulnerable to man-in-the-middle attacks remains an important challenge. Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.